Page tree
Skip to end of metadata
Go to start of metadata

Saving, using and collecting the register

The new requirements for personal data registers limit the location the register can be stored at. The register should be, except in special specific cases, stored within the EU and access to the register should be limited even more strictly than before. In addition, the storage location needs to be safe and have proper information security. Remember to correlate the size of the register with the method of encryption when choosing the storage mode: The GDPR is based on a principle of reasonability, so small registers need not be excessively encrypted.

Below is a list of workable solutions, with listed pros and cons.

Storage and use

  • Shared encrypted file partition. A cryptographic program encrypted with for example VeraCrypt, with a strong encryption. The file is opened with a password and when opened, shows as a partitioned disk on the computer. Sharing can be done with ease in a cloud-based service like Google Drive or OneDrive, through which the association correspondent can control the user rights.
    • Pros: Good information security. You can store anything in the file partition, so you can keep the register in any format. Easy to implement.
    • Cons: Requires getting used to and some training for people not versed in tech.
  • Shared excel sheet. An excel sheet can be shared through a cloud if it is password-protected. Akin to the file partition, the user control is done through the cloud.
    • Pros: Very easy to implement and use. Extremely effective for small activities.
    • Cons: File format restricted. Not very high information security.
  • Personal physical external storage server/hard drive, for example an association’s server. Linux-based user interface. A good choice if you have a server up and running and the association has knowledge of server upkeep. When saving the registers, you should ensure file coherence with RAID technology and backups. Contact to the server through the internet is nowadays free with LetsEncrypt certificates.
    • Pros: Enables very strong information security and direct communication between programs. User control is very versatile through the user interface. Enables automation services of registers.
    • Cons: Requires the most upkeep and administration. Requires a lot of practice to master if not versed in Linux. Requires a physical space and equipment for the association.

Electronic information collection

  • G suite – Paid service for companies by Google. The paid version of Google Forms and Drive services are accounted in the GDPR through the Privacy Shield certificate.
    • Pros: A working, easy-to-use way to create signup sheets.
    • Cons: Costs 4 EUR a month in upkeep.
  • Microsoft Forms through o365 offered by Aalto. N.B. Aalto has not answered officially if this kind of use is covered by the user agreement. When working, same as the Google Forms service. Implemented through the instructions found at
    • Pros: Free and handy to use.
    • Cons: The questionnaire creator must be an active student at Aalto. No official confirmation on user agreement yet.
  • Private web page forums, can be implemented through e.g. Wordpress.
    • Pros: Free, very customizable through the platform.
    • Cons: Requires a lot of work to implement, when considering all the options available.


  • Q: We have an old sitsi signup registry, left over from the previous board. Is the current board responsible for it?
  • A: Yes, the new board is responsible. You should play it safe and check out all the files the association has before the GDPR comes into effect and delete all unneeded registers.

  • Q: The law requires us to keep documentation for ten years. Should we now edit all of them to remove personal information?
  • A: No. The GDPR is a general enactment, special enactments like the Act on Associations have priority in conflict cases.


  • Q: Can I use the register information on my own computer?
  • A: Yes. Data transfers between your computer and the register’s location (e.g. server) should be encrypted, for example through https or ssh traffic.


  • Q: Can I forward information of people to other parties, for example a ferry company or the organizer of lodgings?
  • A: Yes, if you mention the fact when you are collecting information. You might also want to inform the reason to the people concerned.

  • Q: Can I use Google Drive as a location for saving data?
  • A: The free version of Google Drive does not fulfil the requirements of the GDPR. The office 365 offered to students of Aalto does, if the data is encrypted from the server admins. You can encrypt the data for example by adding a password to the files themselves (excel supports this when saving files).


  • Q: A person asked us for the information on them regarding the pictures the association has. The pictures in which the person is also have other people in them. Can we hand over the pictures?
  • A: If the pictures are not already publicly shared (for example in the picture database of the guild), pictures which contain other people cannot be handed over.


  • Q: How can I confirm that the person asking for the information is who they say they are?
  • A: The more sensitive the data, the more important it is to confirm identity of the asking party. In small requests it should be enough that the request comes from the same email as the one found in the register. In large requests (or sensitive ones), it is reasonable to ask for the person to come in person and prove their identity with an ID.


For further info and questions, please contact AYY IT-specialist at .

Sample documents:

Core Points for Associations Regarding Data Protection - 09.04.2018:

  • No labels